转载自wx公众号小柳实验室, 在原文基础上做了修改,
前言
你的服务器是否每天被 /admin、/wp-login.php、/.env 扫描刷屏?
这些攻击 90% 来自境外。如果你的业务只服务中国大陆用户,那完全没必要开放全球访问!
更重要的是:你不需要编译 Nginx,不需要 MaxMind 账号,甚至不用装额外模块
只需利用 亚太网络信息中心(APNIC)公开的官方 IP 数据,配合 Nginx 原生功能,3 步实现精准拦截!
创建自动生成脚本
⚠️提醒:因为使用的是kejilion的反代脚本(docker版nginx),所以站点配置目录是/home/web/conf.d,请根据实际情况修改配置目录
sudo cat > /usr/local/bin/gen-cn-allow.sh << 'EOF'
#!/bin/bash
# 从 APNIC 官方数据生成 Nginx allow 规则
# 适用于任意 Linux 系统
OUTPUT_DIR="/home/web/conf.d"
mkdir -p "$OUTPUT_DIR"
echo "正在下载 APNIC 最新数据..."
wget -qO- http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest | \
awk -F'|' '
$2 == "CN" && $3 == "ipv4" {
prefix = $4;
len = 32 - log($5) / log(2);
print "allow " prefix "/" len ";";
}
$2 == "CN" && $3 == "ipv6" {
print "allow " $4 "/" $5 ";";
}
' > /tmp/cn_allow.list
# 分离 IPv4 和 IPv6
grep -E 'allow [0-9]+\.' /tmp/cn_allow.list > "$OUTPUT_DIR/china-ipv4.conf"
grep -E 'allow [0-9a-fA-F:]+' /tmp/cn_allow.list > "$OUTPUT_DIR/china-ipv6.conf"
# 添加注释头
sed -i "1i# Auto-generated from APNIC — $(date)" "$OUTPUT_DIR/china-ipv4.conf"
sed -i "1i# Auto-generated from APNIC — $(date)" "$OUTPUT_DIR/china-ipv6.conf"
rm -f /tmp/cn_allow.list
echo "✅ 中国 IP 白名单已生成:"
echo " IPv4: $OUTPUT_DIR/china-ipv4.conf"
echo " IPv6: $OUTPUT_DIR/china-ipv6.conf"
EOF
赋予执行权限
sudo chmod +x /usr/local/bin/gen-cn-allow.sh
首次运行生成白名单
sudo /usr/local/bin/gen-cn-allow.sh
预期输出:
正在下载 APNIC 最新数据...
✅ 中国 IP 白名单已生成:
IPv4: /home/web/conf.d/china-ipv4.conf
IPv6: /home/web/conf.d/china-ipv6.conf
验证生成的文件
# 查看 IPv4 规则数量
wc -l /home/web/conf.d/china-ipv4.conf
# 查看 IPv6 规则数量
wc -l /home/web/conf.d/china-ipv6.conf
# 查看文件前 5 行示例
head -5 /home/web/conf.d/china-ipv4.conf
配置 Nginx
编辑你的站点配置文件(如 /home/web/conf.d/your-site.conf)
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
listen 443 quic;
listen [::]:443 quic;
server_name www.2345.com;
ssl_certificate /etc/nginx/certs/www.2345.com_cert.pem;
ssl_certificate_key /etc/nginx/certs/www.2345.com_key.pem;
# 引入中国 IP 白名单(顺序很重要!)
include /etc/nginx/conf.d/china-ipv4.conf;
include /etc/nginx/conf.d/china-ipv6.conf;
# 可选:放行本地回环(避免自己被拦)
allow 127.0.0.1;
allow ::1;
# 拒绝所有未匹配的请求
deny all;
# HTTP 重定向到 HTTPS
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
# 你的其他配置...
⚠️ 关键规则:Nginx 按顺序匹配 allow/deny,必须先写 allow,再写 deny all!
实际上就是在ssl配置后面加了以下内容
# 引入中国 IP 白名单(顺序很重要!)
include /etc/nginx/conf.d/china-ipv4.conf;
include /etc/nginx/conf.d/china-ipv6.conf;
# 可选:放行本地回环(避免自己被拦)
allow 127.0.0.1;
allow ::1;
# 拒绝所有未匹配的请求
deny all;
验证配置
docker exec nginx nginx -t
重载配置(平滑生效,不影响在线用户)
docker exec nginx nginx -s reload
验证方法:
国内手机 4G 访问 → 应正常打开;
使用境外代理或 VPS 访问 → 应返回 403 Forbidden;
设置定时任务
(每天凌晨 3 点自动更新)
echo "0 3 * * * root /usr/local/bin/gen-cn-allow.sh && docker exec nginx nginx -t && docker exec nginx nginx -s reload >/dev/null 2>&1" | sudo tee /etc/cron.d/update-cn-ip
验证定时任务
查看 cron 任务是否创建成功
cat /etc/cron.d/update-cn-ip
检查 cron 服务状态
sudo systemctl status cron
放行必应爬虫
创建必应 IP 白名单配置
sudo cat > /home/web/conf.d/bing-bot.conf << 'EOF'
# Bing Bot IP Ranges - Last updated: 2025-11-20
# Source: https://www.bing.com/toolbox/bingbot.json
allow 157.55.39.0/24;
allow 207.46.13.0/24;
allow 40.77.167.0/24;
allow 13.66.139.0/24;
allow 13.66.144.0/24;
allow 52.167.144.0/24;
allow 13.67.10.16/28;
allow 13.69.66.240/28;
allow 13.71.172.224/28;
allow 139.217.52.0/28;
allow 191.233.204.224/28;
allow 20.36.108.32/28;
allow 20.43.120.16/28;
allow 40.79.131.208/28;
allow 40.79.186.176/28;
allow 52.231.148.0/28;
allow 20.79.107.240/28;
allow 51.105.67.0/28;
allow 20.125.163.80/28;
allow 40.77.188.0/22;
allow 65.55.210.0/24;
allow 199.30.24.0/23;
allow 40.77.202.0/24;
allow 40.77.139.0/25;
allow 20.74.197.0/28;
allow 20.15.133.160/27;
allow 40.77.177.0/24;
allow 40.77.178.0/23;
EOF
编辑 /home/web/conf.d/your-site.conf:
# ========== 访问控制规则(顺序很重要!) ==========
# 1. 首先放行必应爬虫
include /etc/nginx/conf.d/bing-bot.conf;
# 2. 然后放行中国 IP
include /etc/nginx/conf.d/china-ipv4.conf;
include /etc/nginx/conf.d/china-ipv6.conf;
# 3. 放行本地回环(可选)
allow 127.0.0.1;
allow ::1;
# 4. ⚠️ 最后拒绝所有未匹配的请求
deny all;
# ==============================================
配置参考
https://github.com/woniu336/open_shell/blob/main/www.2345.com.conf
自动化更新必应 IP 段
sudo cat > /usr/local/bin/update-bing-ips.sh << 'EOF'
#!/bin/bash
OUTPUT="/home/web/conf.d/bing-bot.conf"
echo "正在从必应官方获取最新 IP 段..."
# 使用 Python 解析 JSON
curl -s "https://www.bing.com/toolbox/bingbot.json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
print('# Bing Bot IP Ranges - Updated: $(date)')
print('# Source: https://www.bing.com/toolbox/bingbot.json')
print()
for prefix in data.get('prefixes', []):
if 'ipv4Prefix' in prefix:
print(f\"allow {prefix['ipv4Prefix']};\")
if 'ipv6Prefix' in prefix:
print(f\"allow {prefix['ipv6Prefix']};\")
" > "$OUTPUT"
# 统计规则数量
count=$(grep -c "^allow" "$OUTPUT")
echo "✅ 必应爬虫 IP 已更新: $OUTPUT"
echo " 共 $count 条规则"
# 验证并重载 Nginx
if docker exec nginx nginx -t 2>&1 | grep -q "successful"; then
docker exec nginx nginx -s reload
echo "✅ Nginx 配置已重载"
else
echo "❌ Nginx 配置验证失败"
exit 1
fi
EOF
sudo chmod +x /usr/local/bin/update-bing-ips.sh
测试脚本
sudo /usr/local/bin/update-bing-ips.sh
添加 Cron 定时任务(每月15号更新):
(crontab -l ; echo "0 4 15 * * /usr/local/bin/update-bing-ips.sh") | crontab -